CVE-2024-26883

bpf: Fix stackmap overflow check on 32-bit arches

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix stackmap overflow check on 32-bit arches

The stackmap code relies on roundup_pow_of_two() to compute the number
of hash buckets, and contains an overflow check by checking if the
resulting value is 0. However, on 32-bit arches, the roundup code itself
can overflow by doing a 32-bit left-shift of an unsigned long value,
which is undefined behaviour, so it is not guaranteed to truncate
neatly. This was triggered by syzbot on the DEVMAP_HASH type, which
contains the same check, copied from the hashtab code.

The commit in the fixes tag actually attempted to fix this, but the fix
did not account for the UB, so the fix only works on CPUs where an
overflow does result in a neat truncation to zero, which is not
guaranteed. Checking the value before rounding does not have this
problem.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: bpf: corrige la verificación de desbordamiento del mapa de pila en arcos de 32 bits. El código del mapa de pila se basa en roundup_pow_of_two() para calcular el número de depósitos de hash y contiene una verificación de desbordamiento verificando si el valor resultante es 0. Sin embargo, en arcos de 32 bits, el código de resumen en sí puede desbordarse al realizar un desplazamiento hacia la izquierda de 32 bits de un valor largo sin signo, lo cual es un comportamiento indefinido, por lo que no se garantiza que se trunque claramente. Esto fue activado por syzbot en el tipo DEVMAP_HASH, que contiene la misma verificación, copiada del código hashtab. La confirmación en la etiqueta de correcciones en realidad intentó solucionar este problema, pero la corrección no tuvo en cuenta la UB, por lo que la corrección solo funciona en CPU donde un desbordamiento resulta en un truncamiento claro a cero, lo cual no está garantizado. Verificar el valor antes de redondear no tiene este problema.

*Credits: N/A

CVSS Scores

NISTv3.1 7.8

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-04-17 CVE Published
2024-04-30 EPSS Updated
2024-09-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CAPEC

References (17)

URL	Tag	Source
https://git.kernel.org/stable/c/063c722dd9d285d877e6fd499e753d6224f4c046	Vuln. Introduced
https://git.kernel.org/stable/c/7e3a6b820535eb395784060ae26c5af579528fa0	Vuln. Introduced
https://git.kernel.org/stable/c/8032bf2af9ce26b3a362b9711d15f626ab946a74	Vuln. Introduced
https://git.kernel.org/stable/c/6183f4d3a0a2ad230511987c6c362ca43ec0055f	Vuln. Introduced
https://git.kernel.org/stable/c/253150830a012adfccf90afcebae8fda5b05a80f	Vuln. Introduced
https://git.kernel.org/stable/c/766107351731ae223ebf60ca22bdfeb47ce6acc8	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/d0e214acc59145ce25113f617311aa79dda39cb3	2024-03-26
https://git.kernel.org/stable/c/21e5fa4688e1a4d3db6b72216231b24232f75c1d	2024-03-26
https://git.kernel.org/stable/c/15641007df0f0d35fa28742b25c2a7db9dcd6895	2024-03-26
https://git.kernel.org/stable/c/ca1f06e72dec41ae4f76e7b1a8a97265447b46ae	2024-03-26
https://git.kernel.org/stable/c/f06899582ccee09bd85d0696290e3eaca9aa042d	2024-03-26
https://git.kernel.org/stable/c/7070b274c7866a4c5036f8d54fcaf315c64ac33a	2024-03-26
https://git.kernel.org/stable/c/43f798b9036491fb014b55dd61c4c5c3193267d0	2024-03-26
https://git.kernel.org/stable/c/0971126c8164abe2004b8536b49690a0d6005b0a	2024-03-26
https://git.kernel.org/stable/c/7a4b21250bf79eef26543d35bd390448646c536b	2024-03-08

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.19.177 < 4.19.311 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.19.177 < 4.19.311"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.4.99 < 5.4.273 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4.99 < 5.4.273"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10.17 < 5.10.214 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.17 < 5.10.214"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.11 < 5.15.153 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 5.15.153"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.11 < 6.1.83 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 6.1.83"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.11 < 6.6.23 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 6.6.23"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.11 < 6.7.11 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 6.7.11"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.11 < 6.8.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 6.8.2"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.11 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 6.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.9.258 Search vendor "Linux" for product "Linux Kernel" and version "4.9.258"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.14.222 Search vendor "Linux" for product "Linux Kernel" and version "4.14.222"		en		Affected